Linear-time zero-knowledge SNARKs for R1CS

This paper studies zero-knowledge SNARKs for NP, where the prover incurs O(N) finite field operations to prove the satisfiability of an N -sized R1CS instance. We observe that recent work of Bootle, Chiesa, and Groth (BCG, TCC 20) provides a polynomial commitment scheme that, when combined with the linear-time interactive proof system of Spartan (CRYPTO 20), yields linear-time SNARKs for R1CS. Specifically, for security parameter λ, and for an N -sized R1CS instance over a field of size exp(λ) and fixed > 0, the prover incurs O(N) finite field operations to produce a proof of size Oλ(N ) that can be verified in Oλ(N )—after a one-time preprocessing step, which requires O(N) finite field operations. This reestablishes the main result of BCG. Arguably, our approach is conceptually simpler and more direct. Additionally, the polynomial commitment scheme that we distill from BCG is of independent interest; it improves over the prior state of the art by offering the first scheme where the time to commit and to prove an evaluation of a committed polynomial are both O(N) finite field operations for an N -sized polynomial. We further observe that one can render the aforementioned SNARK zero knowledge and reduce the proof size and verifier time to polylogarithmic—while maintaining a linear-time prover—by outsourcing the verifier’s work via one layer of proof composition with an existing zkSNARK as the “outer” proof system. A similar result was recently obtained by Bootle, Chiesa, and Liu (ePrint 2020/1527).

[1]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[2]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[3]  Manuel Blum,et al.  Checking the correctness of memories , 2005, Algorithmica.

[4]  Eli Ben-Sasson,et al.  Fast reductions from RAMs to delegatable succinct constraint satisfaction problems: extended abstract , 2013, ITCS '13.

[5]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[6]  Jonathan Lee,et al.  Proving the correct execution of concurrent services in zero-knowledge , 2018, IACR Cryptol. ePrint Arch..

[7]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[8]  Jonathan Lee,et al.  Dory: Efficient, Transparent arguments for Generalised Inner Products and Polynomial Commitments , 2020, IACR Cryptol. ePrint Arch..

[9]  Jens Groth,et al.  Linear-Time Zero-Knowledge Proofs for Arithmetic Circuit Satisfiability , 2017, IACR Cryptol. ePrint Arch..

[10]  Dawn Song,et al.  Transparent Polynomial Delegation and Its Applications to Zero Knowledge Proof , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[11]  Daniel A. Spielman,et al.  Linear-time encodable and decodable error-correcting codes , 1995, STOC '95.

[12]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[13]  Jonathan Katz,et al.  vSQL: Verifying Arbitrary SQL Queries over Dynamic Outsourced Databases , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[14]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[15]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[16]  Ron Rothblum,et al.  Local Proofs Approaching the Witness Length [Extended Abstract] , 2020, 2020 IEEE 61st Annual Symposium on Foundations of Computer Science (FOCS).

[17]  Yuval Ishai,et al.  Linear-time encodable codes meeting the gilbert-varshamov bound and their cryptographic applications , 2014, ITCS.

[18]  A. Chiesa,et al.  Linear-Time Arguments with Sublinear Verification from Tensor Codes , 2020, IACR Cryptology ePrint Archive.

[19]  Abhi Shelat,et al.  Full Accounting for Verifiable Outsourcing , 2017, CCS.

[20]  Rafail Ostrovsky,et al.  Line-Point Zero Knowledge and Its Applications , 2020, IACR Cryptol. ePrint Arch..

[21]  Abhiram Kothapalli,et al.  A Direct Construction for Asymptotically Optimal zkSNARKs , 2020, IACR Cryptology ePrint Archive.

[22]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[23]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[24]  Srinath T. V. Setty,et al.  Making argument systems for outsourced computation practical (sometimes) , 2012, NDSS.

[25]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[26]  Helger Lipmaa,et al.  Progression-Free Sets and Sublinear Pairing-Based Non-Interactive Zero-Knowledge Arguments , 2012, TCC.

[27]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[28]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[29]  Ben Fisch,et al.  Transparent SNARKs from DARK Compilers , 2020, IACR Cryptol. ePrint Arch..

[30]  Siqi Liu,et al.  Zero-Knowledge Succinct Arguments with a Linear-Time Prover , 2020, IACR Cryptol. ePrint Arch..

[31]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[32]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[33]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[34]  Sean Bowe,et al.  Recursive Proof Composition without a Trusted Setup , 2020 .

[35]  Srinath Setty,et al.  Quarks: Quadruple-efficient transparent zkSNARKs , 2020, IACR Cryptol. ePrint Arch..

[36]  Srinath T. V. Setty,et al.  Spartan: Efficient and general-purpose zkSNARKs without trusted setup , 2020, IACR Cryptol. ePrint Arch..

[37]  Yuval Ishai,et al.  Low-Complexity Cryptographic Hash Functions , 2017, ITCS.

[38]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[39]  Nicholas Spooner,et al.  Proof-Carrying Data from Accumulation Schemes , 2020, IACR Cryptol. ePrint Arch..

[40]  Dawn Xiaodong Song,et al.  Libra: Succinct Zero-Knowledge Proofs with Optimal Prover Computation , 2019, IACR Cryptol. ePrint Arch..

[41]  Matthew Green,et al.  ZEXE: Enabling Decentralized Private Computation , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[42]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[43]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[44]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[45]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[46]  Ariel Gabizon,et al.  PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge , 2019, IACR Cryptol. ePrint Arch..

[47]  Mary Maller,et al.  Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS , 2020, IACR Cryptol. ePrint Arch..

[48]  Nicholas Spooner,et al.  Fractal: Post-Quantum and Transparent Recursive Proofs from Holography , 2020, IACR Cryptol. ePrint Arch..

[49]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[50]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[51]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[52]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[53]  Alex J. Malozemoff,et al.  Mac'n'Cheese: Zero-Knowledge Proofs for Arithmetic Circuits with Nested Disjunctions , 2020, IACR Cryptol. ePrint Arch..

[54]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[55]  Srinath T. V. Setty,et al.  Replicated state machines without replicated execution , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[56]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[57]  Kang Yang,et al.  Fast, Scalable, and Communication-Efficient Zero-Knowledge Proofs for Boolean and Arithmetic Circuits , 2020, IACR Cryptol. ePrint Arch..

[58]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.

[59]  Nir Bitansky,et al.  Recursive composition and bootstrapping for SNARKS and proof-carrying data , 2013, STOC '13.

[60]  Guy N. Rothblum,et al.  Constant-Round Interactive Proofs for Delegating Computation , 2016, Electron. Colloquium Comput. Complex..

[61]  Dan Boneh,et al.  Halo Infinite: Recursive zk-SNARKs from any Additive Polynomial Commitment Scheme , 2020, IACR Cryptol. ePrint Arch..